CODEWITHSUNDEEP
amazon-web-servicesaws-cloudformationamazon-ami
shantanuo
shantanuo

Reputation: 32306

Setting minimum role for elasticsearch instance put method

I have this cloudformation template and it works as expected. It will add 1 record to elasticsearch index. But I am not sure if the Role is defined correctly. I need to set the minimum permissions for this function.

AWSTemplateFormatVersion: "2010-09-09"
Description: "Gateway and Lambda function for mailgun API"

Resources:
  lambdaIAMRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Action:
              - "sts:AssumeRole"
            Effect: "Allow"
            Principal:
              Service:
                - "lambda.amazonaws.com"
      Policies:
        - PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Action:
                  - "logs:CreateLogGroup"
                  - "logs:CreateLogStream"
                  - "logs:PutLogEvents"
                Effect: "Allow"
                Resource:
                  - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/furl:*"
          PolicyName: "lambda"

  lambdaFunction:
    Type: "AWS::Lambda::Function"
    Properties:
      Code:
        ZipFile: |
          def handler(event,context):
            from elasticsearch import Elasticsearch

            es = Elasticsearch(
                ['search-test-XXXX.us-east-1.es.amazonaws.com'],
                http_auth=('root', 'XXXX)'),
                scheme="https",
                port=443,
            )

            doc = {
                'author': 'kimchy',
                'text': 'Elasticsearch: cool. bonsai cool.'
            }
            res = es.index(index="test-index", id=1, body=doc)
 
      Description: "EmailThis"
      FunctionName: elast
      Handler: "index.handler"
      MemorySize: 128
      Role: !GetAtt "lambdaIAMRole.Arn"
      Runtime: "python3.6"
      Timeout: 100
      Layers: 
        - "arn:aws:lambda:us-east-1:770693421928:layer:Klayers-python38-elasticsearch:12"

Upvotes: 0

Views: 64

Answers (1)

Marcin
Marcin

Reputation: 238139

Yes, the permissions in the role match those from standard AWSLambdaBasicExecutionRole.

However, your role will not work, as it has incorrect resource. Instead of:

                Resource:
                  - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/furl:*"

there should be:

                Resource:
                  - !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/elast:*"

since elast is the name of your function, and not furl.

Upvotes: 1

Related Questions